Delegate Role Assignments Overview

Bias Analysis

Bias Types:

⚠️ powershell_heavy

⚠️ windows_first

Summary:

The documentation provides both Azure PowerShell and Azure CLI examples for delegating role assignment management with conditions. However, the PowerShell example is presented before the Azure CLI example, which can be interpreted as a 'windows_first' bias. Additionally, the PowerShell example is more detailed and uses Windows-style variable assignment (e.g., $variable), while the Azure CLI example uses Windows batch syntax for variable assignment (set variable=value), which is not compatible with Linux shells. There are no explicit Linux shell (bash) examples, and the CLI example does not use cross-platform syntax, indicating a 'powershell_heavy' and 'windows_first' bias.

Recommendations:

Provide Azure CLI examples using bash-compatible syntax (e.g., export VAR=value or VAR=value) for variable assignment, rather than Windows batch 'set' commands.
Present Azure CLI (cross-platform) examples before or alongside PowerShell examples to avoid the perception of Windows-first bias.
Explicitly mention that Azure CLI commands are cross-platform and provide both Windows and Linux/macOS shell variants where variable assignment or scripting is involved.
Consider adding a note or tab for Linux/macOS users, especially in sections where scripting or environment setup differs between platforms.

Create pull request

Date	Scan ID	Status	Bias Status
2025-09-10 00:00	#107	completed	✅ Clean
2025-08-17 00:01	#83	in_progress	✅ Clean
2025-07-13 21:37	#48	completed	✅ Clean
2025-07-12 23:44	#41	in_progress	❌ Biased

Flagged Code Snippets

$roleDefinitionId = "f58310d9-a9f6-439a-9e8d-f62e7b41a168" $principalId = "<principalId>" $scope = "/subscriptions/<subscriptionId>" $condition = "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {5e467623-bb1f-42f4-a55d-6e525e11384b, a795c7a0-d4a2-40c1-ae25-d81f01202912} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'User'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {5e467623-bb1f-42f4-a55d-6e525e11384b, a795c7a0-d4a2-40c1-ae25-d81f01202912} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'User'}))" $conditionVersion = "2.0" New-AzRoleAssignment -ObjectId $principalId -Scope $scope -RoleDefinitionId $roleDefinitionId -Condition $condition -ConditionVersion $conditionVersion

set roleDefinitionId="f58310d9-a9f6-439a-9e8d-f62e7b41a168" set principalId="{principalId}" set principalType="User" set scope="/subscriptions/{subscriptionId}" set condition="((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {5e467623-bb1f-42f4-a55d-6e525e11384b, a795c7a0-d4a2-40c1-ae25-d81f01202912} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'User'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {5e467623-bb1f-42f4-a55d-6e525e11384b, a795c7a0-d4a2-40c1-ae25-d81f01202912} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'User'}))" set conditionVersion="2.0" az role assignment create --assignee-object-id %principalId% --assignee-principal-type %principalType% --scope %scope% --role %roleDefinitionId% --condition %condition% --condition-version %conditionVersion%

Document Details

About This Page

Bias Analysis

Scan History

Flagged Code Snippets